AA should allow for an intelligent combination of Fingerprint and Windows Hello within a Chain, in addition to also some other unrelated method like LDAP Password. By intelligent combination I mean that the local Device Service should be able to interrogate if an attached Fingerprint reader is “Match-on-host” capable vs “Match-on-sensor” and then intelligently present to the user either the conventional “Fingerprint” (“Match-on-host”) method or the “Windows Hello” (“Match-on-sensor”) based fingerprint method. Both types of laptop built-in readers are randomly present throughout any given larger enterprise who goes through rolling refresh cycles. And the current Advanced Authentication User Experience (UX) design would require frustrating the end-user to learn only through trial and error which type of device they happen to be on at that moment, by choosing one Chain (Fingerprint+Password) and then the other (Windows Hello Fingerprint+Password). The better approach would be to do it for the user, auto-select the correct fingerprint method within the same Chain based on what the Device Service learns.

by: brian r. | over a year ago | Configuration